EUVD-2025-208829CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
MuraCMS through 10.1.10 contains a CSRF vulnerability in the Add To Group functionality for user management (cUsers.cfc addToGroup method) that allows attackers to escalate privileges by adding any user to any group without proper authorization checks. The vulnerable function lacks CSRF token validation and directly processes user-supplied userId and groupId parameters via getUserManager().createUserInGorup(), enabling malicious websites to forge requests that automatically execute when an authenticated administrator visits a crafted page. Adding a user to the Super Admins group (s2 user) is not possible. Successful exploitation results in the attacker gaining privilege escalation both horizontally to other groups and vertically to the admin group. Escalation to the s2 User group is not possible.
Analysis
MuraCMS through version 10.1.10 contains a Cross-Site Request Forgery (CSRF) vulnerability in the user management Add To Group functionality that allows attackers to escalate privileges by adding authenticated users to arbitrary groups without proper authorization validation. An authenticated administrator visiting a malicious webpage can be tricked into adding any user to the Admin group or other privileged groups, though escalation to the Super Admin (s2) group is blocked. This vulnerability enables both horizontal privilege escalation across different user groups and vertical privilege escalation to administrative roles, posing a significant risk to multi-user MuraCMS installations where administrator accounts are targeted.
Technical Context
The vulnerability exists in the cUsers.cfc component's addToGroup method, which handles user group assignment within MuraCMS—a content management system built on ColdFusion/CFML technology. The vulnerable function directly processes userId and groupId parameters submitted via HTTP requests and passes them to the getUserManager().createUserInGroup() backend function without implementing CSRF token validation or cross-request verification. This represents a classic CWE-352 (Cross-Site Request Forgery) issue compounded by insufficient authorization checks (related to CWE-284). The lack of CSRF protection means that state-changing operations (group membership modification) can be initiated from external websites, violating the same-origin policy enforcement that should protect administrative operations. The addToGroup method fails to verify that the request originated from a legitimate MuraCMS admin interface and lacks server-side session binding to validate request authenticity.
Affected Products
MuraCMS versions through 10.1.10 are affected by this vulnerability. The CVE data references cpe:2.3:a:n/a:n/a, indicating incomplete CPE information in the public database, though the vendor is clearly Mura Software. According to the vendor references provided, documentation at https://docs.murasoftware.com/v10/release-notes/#section-version-1014 should be consulted for specific patch information. The vulnerability affects the user management and group assignment functionality across all instances of MuraCMS 10.1.10 and earlier versions where the addToGroup method remains unpatched. Users running any version prior to the patched release should consider themselves at risk.
Remediation
Upgrade MuraCMS to a patched version released after 10.1.10; consult the vendor release notes at https://docs.murasoftware.com/v10/release-notes/ for the specific fixed version number and deployment instructions. As an immediate interim control pending patches, administrators should implement CSRF token validation by adding a CFML-level token check to the addToGroup function in cUsers.cfc, requiring that all user group modification requests include a cryptographically random, session-bound token generated by the application and verified server-side before processing. Additionally, restrict administrative access to the MuraCMS admin interface using network-level controls (IP whitelisting, VPN requirements) and enforce same-site cookie policies (SameSite=Strict) on all session cookies to mitigate cross-site request exploitation. Monitor group membership changes via audit logs and enforce multi-factor authentication for administrative accounts to reduce the impact of compromised admin sessions.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today